VFVerafile Sentinel

CMMC Level 2 evidence infrastructure

Compliance evidence your assessor can verify without trusting anyone — including us.

Verafile Sentinel anchors cryptographic fingerprints of your compliance documents to a public ledger, producing tamper-evident proof that each file existed, in exactly its current state, no later than a specific date. Verified against public data — no Verafile software, account, or cooperation required.

Request demo access See pricing

Reply same day with your name and organization — we set up demo access within one business day.

EVIDENCE RECORD · SENTINEL PROOF INDEPENDENTLY VERIFIABLE
Document
SSP_rev14_2026.pdf
Fingerprint
9f41c7a02b8e55d31a6f0c4e7d92b8a1…
Anchored
Arbitrum One · block 352,800,417
Timestamp
2026-06-11 17:42:09 UTC
Standard
ERC-8281 · Observation Commitment Protocol
Existed no later than anchor time · alteration detectable forever status: sealed
Anchored on a public ledgerArbitrum One via ERC-8281, an open Ethereum standard — not a proprietary format.
Verified with public data onlyYour assessor runs the published procedure against the public record. No vendor in the loop.
Evidence outlives the vendorIf Verafile vanished tomorrow, every proof you've ever made would still verify. That's the design.

Section 01 · How it works

Three steps. Under a minute. Assessor-ready.

Built for the documents your C3PAO will sample in 2027 or 2028: audit logs, SSPs, POA&Ms, baselines, and scan reports become evidence that provably wasn't altered or back-dated.

STEP 1 / UPLOAD

Upload

Select your document type and drag in your files. They're hashed with a random salt — file contents never leave your session, and the public record reveals nothing about them.

STEP 2 / SEAL

Seal

One click anchors the salted fingerprint to Arbitrum One via ERC-8281, an open Ethereum standard. Takes under a minute.

STEP 3 / PROVE

Prove

Download your proof file and a formatted CMMC compliance report PDF, ready for your assessment binder.

Section 02 · What you get

A compliance report written to survive a skeptical read.

Every anchor produces a formatted PDF for your assessment binder — and the language inside is deliberate. It states the precise relationship between the anchor and each CMMC practice, never claims a practice is "satisfied" by software, and includes the limitations in plain text.

The restraint is the point. The first inflated claim an assessor reads discounts the entire binder. Sentinel's reports earn credibility by claiming exactly what the cryptography supports — and proving it.

  • Organization, document type, report date, and anchor details — transaction, block, timestamp, public explorer link
  • Every anchored file with its cryptographic fingerprint
  • The CMMC Level 2 practices this anchor evidences, with the precise relationship stated for each
  • A step-by-step independent verification procedure any assessor can run
  • A plain statement of what the evidence establishes — and what it doesn't

Section 03 · CMMC Level 2 coverage

Thirteen practices, claimed precisely.

No product satisfies a CMMC practice on its own — practices are organizational requirements your assessor evaluates against NIST SP 800-171A objectives. Sentinel maps its contribution in three honest categories.

Directly implements

Cryptographic integrity protection for audit information (AU-9(3) control lineage). Tampering with anchored logs becomes cryptographically detectable — even by privileged insiders.

AU.L2-3.3.8
Partially supports

Retention integrity for audit records; tamper-evident configuration baselines, drift detection, and change tracking; a file-integrity monitoring component with reference values no attacker can alter.

AU.L2-3.3.1CM.L2-3.4.1CM.L2-3.4.2CM.L2-3.4.3SI.L2-3.14.6
Evidence generation

Tamper-evident, independently verifiable artifacts demonstrating your implementation was in place and operating — evidence that can't be fabricated after the fact, because anchors can't be created in the past.

AU.L2-3.3.2IR.L2-3.6.1IR.L2-3.6.2CA.L2-3.12.1CA.L2-3.12.3CA.L2-3.12.4RA.L2-3.11.2

Detailed practice-by-practice mapping documentation — written to be handed directly to your assessor — is available on request.

Section 04 · Why now

The one thing about November 2028 you can't fix later.

CMMC requirements are phasing into DoD contracts now, with full implementation — every applicable solicitation and contract, including option periods — in November 2028 under 32 CFR 170.

Assessment evidence has to demonstrate sustained implementation, covering the period before your assessment. Policies can be rewritten and controls tightened right up until the assessor arrives. Evidence history is the exception: integrity evidence cannot be created retroactively.

A contractor who starts anchoring today walks into assessment with a multi-year, independently verifiable evidence history. One who starts the month before walks in with a month.

  • NOV 2025 · PHASE 1Program rule in effect — Level 1 & Level 2 self-assessment requirements begin appearing in solicitations
  • NOV 2026 · PHASE 2Level 2 C3PAO certification requirements — third-party assessment enters applicable solicitations
  • NOV 2027 · PHASE 3Certification extends — condition of award and of exercising option periods
  • NOV 2028 · PHASE 4Full implementation — all applicable solicitations and contracts, including option periods on prior awards

Section 05 · Pricing

Every plan buys the same guarantee.

Tamper-evident proof that your documents existed in their exact current state no later than the moment you sealed them — verifiable by anyone, using only public data. Tiers differ in volume, automation, and how much of our time comes with the software. A sealed package is one anchoring operation, containing as many files as you upload together.

Starter

For contractors getting their evidence discipline started.

$500 / month

  • Up to 50 sealed packages per month
  • CMMC Level 2 compliance report PDF with every anchor
  • Arbitrum One anchoring (ERC-8281 open standard)
  • Proof file download with every anchor — your permanent, vendor-independent verification record
  • Email support
Start with Starter

Professional

For contractors building a continuous evidence history ahead of assessment.

$1,200 / month

  • Up to 500 sealed packages per month
  • Everything in Starter
  • Scheduled automatic anchoring — daily or weekly, an unbroken history with nobody clicking anything
  • Bulk upload via API
  • Priority support
  • Assessment preparation consultation — 1 hour/month
Choose Professional

Enterprise

For contractors who want this handled, with their name on it.

$2,000 / month

  • Unlimited sealed packages
  • Everything in Professional
  • Dedicated account manager
  • Custom CMMC practice mapping review for your environment and SSP
  • White-label proof reports with your branding
  • 99.9% uptime SLA
  • Direct line to the founder
Talk to us about Enterprise

A note on timing. We won't tell you the sky is falling — but we will tell you the one thing about the 2028 deadline that can't be fixed later: assessment evidence has to cover the period before your assessment, and integrity evidence cannot be created retroactively. Every month you anchor is a month of verifiable history you'll have in the room. That's the whole urgency argument; it happens to be true.

Section 06 · Questions a compliance officer should ask

And our answers.

No. Certification comes from a C3PAO assessment of your organization. Sentinel produces tamper-evident evidence that your implementation was in place and operating — it strengthens the artifacts your assessor examines. No product satisfies a CMMC practice by being purchased, and we'd be suspicious of any vendor who says otherwise.

No. Your files never leave your session. Sentinel computes a cryptographic fingerprint locally, combined with a random salt, and only that salted fingerprint is anchored. The public record reveals nothing about your file contents or names — the salt specifically prevents anyone from confirming document contents by guessing, even for predictable document formats. Keep your proof file with your records: it contains the salt, which is required to verify the anchor.

Your assessor decides what evidence suffices — that's their job, and CMMC Level 2 assessment is evidence-driven. What Sentinel guarantees is that the evidence question becomes easy to answer: the report includes a verification procedure your assessor can run independently against public blockchain data, with no Verafile software, account, or cooperation involved. We provide a full practice-by-practice mapping document, written to be read by assessors, that states precisely what each anchor does and doesn't establish.

Nothing. That's the design. Anchors live on a public blockchain that we don't operate; the verification procedure is a published open standard (ERC-8281); your proof files are in your possession. Every proof remains verifiable forever using public infrastructure. Most compliance tools make this promise with an export button — ours doesn't need one.

Your existing anchors are permanent and stay verifiable — they're on a public blockchain, and the proof files are yours. You stop being able to create new anchors and generate new reports. There's no lock-in by construction; we have to keep earning the subscription.

Yes — every proof report includes the step-by-step procedure: hash your files, reconstruct the root with the salt from your proof file, and confirm it against the transaction on any Arbitrum One block explorer or RPC endpoint. Ten minutes with standard tools, no Verafile involvement.

Start the evidence history you can't backfill.

Reply with your name and organization — demo access the same day, and the full assessor-facing mapping document with it.

Request demo access
Verafile Sentinel — Compliance evidence your assessor can verify independently
VFVerafile Sentinel

CMMC Level 2 evidence infrastructure

Compliance evidence your assessor can verify without trusting anyone — including us.

Verafile Sentinel anchors cryptographic fingerprints of your compliance documents to a public ledger, producing tamper-evident proof that each file existed, in exactly its current state, no later than a specific date. Verified against public data — no Verafile software, account, or cooperation required.

Request demo access See pricing

Reply same day with your name and organization — we set up demo access within one business day.

EVIDENCE RECORD · SENTINEL PROOF INDEPENDENTLY VERIFIABLE
Document
SSP_rev14_2026.pdf
Fingerprint
9f41c7a02b8e55d31a6f0c4e7d92b8a1…
Anchored
Arbitrum One · block 352,800,417
Timestamp
2026-06-11 17:42:09 UTC
Standard
ERC-8281 · Observation Commitment Protocol
Existed no later than anchor time · alteration detectable forever status: sealed
Anchored on a public ledgerArbitrum One via ERC-8281, an open Ethereum standard — not a proprietary format.
Verified with public data onlyYour assessor runs the published procedure against the public record. No vendor in the loop.
Evidence outlives the vendorIf Verafile vanished tomorrow, every proof you've ever made would still verify. That's the design.

Section 01 · How it works

Three steps. Under a minute. Assessor-ready.

Built for the documents your C3PAO will sample in 2027 or 2028: audit logs, SSPs, POA&Ms, baselines, and scan reports become evidence that provably wasn't altered or back-dated.

STEP 1 / UPLOAD

Upload

Select your document type and drag in your files. They're hashed with a random salt — file contents never leave your session, and the public record reveals nothing about them.

STEP 2 / SEAL

Seal

One click anchors the salted fingerprint to Arbitrum One via ERC-8281, an open Ethereum standard. Takes under a minute.

STEP 3 / PROVE

Prove

Download your proof file and a formatted CMMC compliance report PDF, ready for your assessment binder.

Section 02 · What you get

A compliance report written to survive a skeptical read.

Every anchor produces a formatted PDF for your assessment binder — and the language inside is deliberate. It states the precise relationship between the anchor and each CMMC practice, never claims a practice is "satisfied" by software, and includes the limitations in plain text.

The restraint is the point. The first inflated claim an assessor reads discounts the entire binder. Sentinel's reports earn credibility by claiming exactly what the cryptography supports — and proving it.

  • Organization, document type, report date, and anchor details — transaction, block, timestamp, public explorer link
  • Every anchored file with its cryptographic fingerprint
  • The CMMC Level 2 practices this anchor evidences, with the precise relationship stated for each
  • A step-by-step independent verification procedure any assessor can run
  • A plain statement of what the evidence establishes — and what it doesn't

Section 03 · CMMC Level 2 coverage

Thirteen practices, claimed precisely.

No product satisfies a CMMC practice on its own — practices are organizational requirements your assessor evaluates against NIST SP 800-171A objectives. Sentinel maps its contribution in three honest categories.

Directly implements

Cryptographic integrity protection for audit information (AU-9(3) control lineage). Tampering with anchored logs becomes cryptographically detectable — even by privileged insiders.

AU.L2-3.3.8
Partially supports

Retention integrity for audit records; tamper-evident configuration baselines, drift detection, and change tracking; a file-integrity monitoring component with reference values no attacker can alter.

AU.L2-3.3.1CM.L2-3.4.1CM.L2-3.4.2CM.L2-3.4.3SI.L2-3.14.6
Evidence generation

Tamper-evident, independently verifiable artifacts demonstrating your implementation was in place and operating — evidence that can't be fabricated after the fact, because anchors can't be created in the past.

AU.L2-3.3.2IR.L2-3.6.1IR.L2-3.6.2CA.L2-3.12.1CA.L2-3.12.3CA.L2-3.12.4RA.L2-3.11.2

Detailed practice-by-practice mapping documentation — written to be handed directly to your assessor — is available on request.

Section 04 · Why now

The one thing about November 2028 you can't fix later.

CMMC requirements are phasing into DoD contracts now, with full implementation — every applicable solicitation and contract, including option periods — in November 2028 under 32 CFR 170.

Assessment evidence has to demonstrate sustained implementation, covering the period before your assessment. Policies can be rewritten and controls tightened right up until the assessor arrives. Evidence history is the exception: integrity evidence cannot be created retroactively.

A contractor who starts anchoring today walks into assessment with a multi-year, independently verifiable evidence history. One who starts the month before walks in with a month.

  • NOV 2025 · PHASE 1Program rule in effect — Level 1 & Level 2 self-assessment requirements begin appearing in solicitations
  • NOV 2026 · PHASE 2Level 2 C3PAO certification requirements — third-party assessment enters applicable solicitations
  • NOV 2027 · PHASE 3Certification extends — condition of award and of exercising option periods
  • NOV 2028 · PHASE 4Full implementation — all applicable solicitations and contracts, including option periods on prior awards

Section 05 · Pricing

Every plan buys the same guarantee.

Tamper-evident proof that your documents existed in their exact current state no later than the moment you sealed them — verifiable by anyone, using only public data. Tiers differ in volume, automation, and how much of our time comes with the software. A sealed package is one anchoring operation, containing as many files as you upload together.

Starter

For contractors getting their evidence discipline started.

$500 / month

  • Up to 50 sealed packages per month
  • CMMC Level 2 compliance report PDF with every anchor
  • Arbitrum One anchoring (ERC-8281 open standard)
  • Proof file download with every anchor — your permanent, vendor-independent verification record
  • Email support
Start with Starter

Professional

For contractors building a continuous evidence history ahead of assessment.

$1,200 / month

  • Up to 500 sealed packages per month
  • Everything in Starter
  • Scheduled automatic anchoring — daily or weekly, an unbroken history with nobody clicking anything
  • Bulk upload via API
  • Priority support
  • Assessment preparation consultation — 1 hour/month
Choose Professional

Enterprise

For contractors who want this handled, with their name on it.

$2,000 / month

  • Unlimited sealed packages
  • Everything in Professional
  • Dedicated account manager
  • Custom CMMC practice mapping review for your environment and SSP
  • White-label proof reports with your branding
  • 99.9% uptime SLA
  • Direct line to the founder
Talk to us about Enterprise

A note on timing. We won't tell you the sky is falling — but we will tell you the one thing about the 2028 deadline that can't be fixed later: assessment evidence has to cover the period before your assessment, and integrity evidence cannot be created retroactively. Every month you anchor is a month of verifiable history you'll have in the room. That's the whole urgency argument; it happens to be true.

Section 06 · Questions a compliance officer should ask

And our answers.

No. Certification comes from a C3PAO assessment of your organization. Sentinel produces tamper-evident evidence that your implementation was in place and operating — it strengthens the artifacts your assessor examines. No product satisfies a CMMC practice by being purchased, and we'd be suspicious of any vendor who says otherwise.

No. Your files never leave your session. Sentinel computes a cryptographic fingerprint locally, combined with a random salt, and only that salted fingerprint is anchored. The public record reveals nothing about your file contents or names — the salt specifically prevents anyone from confirming document contents by guessing, even for predictable document formats. Keep your proof file with your records: it contains the salt, which is required to verify the anchor.

Your assessor decides what evidence suffices — that's their job, and CMMC Level 2 assessment is evidence-driven. What Sentinel guarantees is that the evidence question becomes easy to answer: the report includes a verification procedure your assessor can run independently against public blockchain data, with no Verafile software, account, or cooperation involved. We provide a full practice-by-practice mapping document, written to be read by assessors, that states precisely what each anchor does and doesn't establish.

Nothing. That's the design. Anchors live on a public blockchain that we don't operate; the verification procedure is a published open standard (ERC-8281); your proof files are in your possession. Every proof remains verifiable forever using public infrastructure. Most compliance tools make this promise with an export button — ours doesn't need one.

Your existing anchors are permanent and stay verifiable — they're on a public blockchain, and the proof files are yours. You stop being able to create new anchors and generate new reports. There's no lock-in by construction; we have to keep earning the subscription.

Yes — every proof report includes the step-by-step procedure: hash your files, reconstruct the root with the salt from your proof file, and confirm it against the transaction on any Arbitrum One block explorer or RPC endpoint. Ten minutes with standard tools, no Verafile involvement.

Start the evidence history you can't backfill.

Reply with your name and organization — demo access the same day, and the full assessor-facing mapping document with it.

Request demo access